chdkfandomcom-20200222-history
A550
Category:Development Firmware info Version The trick with the ver.req file works on the A550 as well, with the following result: Canon PowerShot A550 P-ID:3150 PAL V firmware ver GM1.00C No error Dec 4 2006 07:46:45 Memory map Tested on A550 with blink G7 firmware dump. Led 0xc0220080: AF beam: (0x46 ON - 0x44 OFF) 0xc02200e0: blue print: (0x46 ON - 0x44 OFF) (not sure...) Blinker Firmware compilation Serial port download solution is the choice for dump firmware. Blink G7 source code (main.c) must be modified in according with led memory map long* led=(long*)0xc0220080; The blink G7 firmware was compiled using cygwin in the pack 'ready-to-use' environment downloadable here. Before compile must be edit the last row of the make.bat. pakwif PS.FIR main 0x3150 where 0x3150 is the P-ID viewed with ver.req trick. Firmware is dumped I have made dump from 0xFFC00000 to 0xFFFFFFFF, and this is the result: Firmware A550 100c = Compile the CHDK = First of all download svn clien and then execute: *'svn checkout http://tools.assembla.com/svn/chdk/trunk chdk' --> where chdk is the folder where put files Using A560 source as the base code. *'Modify folder structure': change folders names of platform\a560\sub\100a in platform\a550\sub\100c and loader\a560 in loader\a550 *'Copy the PRIMARY.BIN in platform\a550\sub\100c' (dump of the camera) *'Modify file core\rav.h': #elif defined (CAMERA_a620) || defined (CAMERA_a710) || defined (CAMERA_a550) || defined (CAMERA_a560)... #define ROWPIX 3152 // for 7 MP #define ROWS 2340 // for 7 MP *Add the new camera to the Makefile.Inc (root folder) PLATFORM=a550 PLATFORMSUB=100c *'Modify Makefile.Inc' --> in platform\a550\sub\100c #0x3150 PLATFORMID=12624 *'Modify boot.c' Start from function kernelinit found with IDA and called in h_usrKernelInit. Walk back (XREF) in IDA until function boot... Rename the fuction call with your address: ex. excVecInit => sub_FFCB6DB8 this (right or wrong) is the result: void boot() { long *canon_data_src = (void*)0xFFEEB4D0; long *canon_data_dst = (void*)0x1900; long canon_data_len = 0xB540; long *canon_bss_start = (void*)0xCE40; // just after data long canon_bss_len = 0x9F2B0 - 0xCE40; long i; ... } void h_usrInit() { asm volatile ( "STR LR, SP,#-4!\n" "BL sub_FFC01968\n" "MOV R0, #2\n" "MOV R1, R0\n" "BL sub_FFCC1CEC\n" //unknown_libname_201 "BL sub_FFCB6DB8\n" //excVecInit "BL sub_FFC011C4\n" "BL sub_FFC01728\n" "LDR LR, SP,#4\n" "B h_usrKernelInit\n" ); } void h_usrKernelInit() { asm volatile ( "STMFD SP!, {R4,LR}\n" "SUB SP, SP, #8\n" "BL sub_FFCC21EC\n" //classLibInit "BL sub_FFCD2318\n" //taskLibInit "LDR R3, =0x4E60\n" "LDR R2, =0x9C4C0\n" "LDR R1, R3\n" "LDR R0, =0x9D010\n" "MOV R3, #0x100\n" "BL sub_FFCCDF08\n" //qInit "LDR R3, =0x4E20\n" "LDR R0, =0x51C0\n" "LDR R1, R3\n" "BL sub_FFCCDF08\n" //qInit "LDR R3, =0x4EDC\n" "LDR R0, =0x9CFE4\n" "LDR R1, R3\n" "BL sub_FFCCDF08\n" //qInit "BL sub_FFCD66D4\n" //workQInit "BL sub_FFC012B0\n" "MOV R4, #0\n" "MOV R3, R0\n" "MOV R12, #0x800\n" "LDR R0, =h_usrRoot\n" "MOV R1, #0x4000\n" "LDR R2, =0xCF2B0\n" // 0x9F2B0 + 0x30000 "STR R12, SP\n" "STR R4, SP,#4\n" "BL sub_FFCCF558\n" //kernelInit "ADD SP, SP, #8\n" "LDMFD SP!, {R4,PC}\n" ); } ... void h_usrRoot() { asm volatile ( "STMFD SP!, {R4,R5,LR}\n" "MOV R5, R0\n" "MOV R4, R1\n" "BL sub_FFC019D0\n" "MOV R1, R4\n" "MOV R0, R5\n" "BL sub_FFCC6CA4\n" //memInit "MOV R1, R4\n" "MOV R0, R5\n" "BL sub_FFCC771C\n" //memPartLibInit //"BL sub_FFC017E8\n" //nullsub_1 "BL sub_FFC01704\n" "BL sub_FFC01A0C\n" "BL sub_FFC019F0\n" "BL sub_FFC01A38\n" "BL sub_FFC019C4\n" ); ... asm volatile ( "LDMFD SP!, {R4,R5,LR}\n" "B sub_FFC0136C\n" //IsEmptyWriteCache_2 ); } I'm not sure this is the correct boot.c, If anyone view some error (in code or procedure), report me....thanks! *'Finish Makefile.Inc' --> in platform\a550\sub\100c MEMBASEADDR=0x1900 RESTARTSTART=0x50000 MEMISOSTART=0x9F2B0 // find in original h_usrKernelInit() MEMISOSIZE=0x30000 ROMBASEADDR=0xffc00000 HELP I don't know how to find the missing fuction in lib.c and stubs_entry_2.S. *'stubs_entry_2.S' #find in IDA NHSTUB(Close, 0xFFCC5108) NHSTUB(Remove, 0xFFCC549C) #near unmount NHSTUB(Mount_FileSystem, 0xFFE214C4) #there are readv and writev?! ...is it the same? NHSTUB(Read, 0xFFCC5334) NHSTUB(Write, 0xFFCC53B0) #I don't know where are they... NHSTUB(kbd_read_keys_r2, 0xFF?) NHSTUB(DisplayImagePhysicalScreen, 0xFF?) NHSTUB(free, 0xFF?) NHSTUB(SetZoomActuatorSpeedPercent, 0xFF?) *'lib.c': alone in the dark ;) point of contact: http://chdk.setepontos.com/index.php/topic,230.0.html ---- NOTE: sorry for my english...I'm illiterate Italian man :) (good) people :I own an A550, and offer my time for testing, to anyone who succeed in get the firmware... ( idleloop-at-hotmail+dot+com) :I also own a A550, and would be glad to offer testing time on it. (jarodthelinuxguy -at- gmail -dot- com)